Re: Reassembled packets from Frag3 and Stream5

[Rayne <hjazz6 () ymail com>]

Let me know if I understand this correctly.

Say I have a large HTML file that gets passed from the application layer to the TCP layer. TCP will look at this stream 
of data and divide it into segments, and append a TCP header to each segment. Each TCP segment will then be passed to 
the IP layer. If the TCP segment is larger than the MTU, then IP will further break up the TCP segments into fragments 
that are each smaller than the MTU. Each of these fragments will then have an IP header appended to it. This also means 
that some of these IP fragments will not have a TCP header. These IP fragments are then passed to the network layer.

Now, when these IP fragments are passed through the preprocessors, they first go through Frag3. The IP fragments are 
reassembled and form the TCP segments from before. At this stage, the original HTML file is still in chunks and not 
whole yet. These TCP segments then pass through the Stream5 preprocessor, where they are reassembled, and we are able 
to obtain the original HTML data.

If the TCP segments were smaller than the MTU size, then there would be no IP fragmentation, and these TCP segments 
would then pass through Frag3 unchanged.

If I have a string "ABCDEF" that I want to match, but the string spans across 2 fragments, i.e. "ABC" on one and "DEF" 
on the other, am I right to say the reassembled pseudo-packet by Frag3 and Stream5 will trigger the alert? What about 
UDP fragments?

Off-topic: How do I reply such that my posting appears within/under the previous relevant post, instead of creating a 
new posting/topic everytime I reply?

Thank you.

Regards,
Rayne

--- On Wed, 10/15/08, Matt Olney <molney () sourcefire com> wrote:
From: Matt Olney <molney () sourcefire com>
Subject: Re: [Snort-users] Reassembled packets from Frag3 and Stream5
To: wu_weidong () yahoo com
Cc: snort-users () lists sourceforge net
Date: Wednesday, October 15, 2008, 1:03 PM

Pseudo packets from the Frag3 processor are then eligible to be stream reassembled in stream5.  Snort does not 
differentiate between pseudo packets or regular packets for the purpose of reassembly.  To extend your question 
somewhat, it is possible to alert more than once on a single attack.  If that attack is contained within one fragment, 
Snort will alert again on the reassembled packet.  If that packet is part of a stream, Snort will alert a third time on 
the reassembled stream.


The performance gain comes from the use of the flowbits: and flow:.  By being aware of the state of the stream, and 
being able to bail early in the rules evaluation process based on that state, we can avoid unnecessary load..  For 
example, flow: is very important in the following rule:


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bersek 1.0 runtime detection - init connection"; 
flow:to_server,established; flowbits:isset,Backdoor.Bersek.Init; content:"|23|[version]1.0"; depth:13; nocase; 
threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; 
reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0..html; classtype:trojan-activity; sid:9657; rev:3;)


Because of the nature of the backdoor, we won't know for sure what tcp port it is listening on.  However, Stream5 tells 
us whether a packet is destined for a server or a client and using the "flow: to_server, established" check means we 
don't have to do any of the other checks if the packet is going the wrong way.  Further, the use of the 
Backdoor.Bersek.Init flowbit means that the stream must have already been tagged with a flowbit or, once again, we'll 
bail on the detection, avoiding unnecessary processing.


You might want to check out the performance rules slides at http://www.snort.org/vrt/docs/white_papers/, it might make 
some of this more clear.

Matt



On Tue, Oct 14, 2008 at 8:53 PM, Wu Wei Dong <wu_weidong () yahoo com> wrote:

So it's possible for the pseudo-packets reassembled by Frag3 and Stream5 to be identical, in terms of both the headers 
and payload, if the fragments are the same? Do the pseudo-packets go through the preprocessors again, since the decoder 
comes before the preprocessors?




Also, what do you mean by "performance increase that is gained by handling flows with an understanding of the stream 
state."?



Thank you.



Regards,

Rayne



--- On Tue, 10/14/08, Matt Olney <molney () sourcefire com> wrote:



> From: Matt Olney <molney () sourcefire com>

> Subject: Re: [Snort-users] Reassembled packets from Frag3 and Stream5

> To: hjazz6 () ymail com

> Cc: snort-users () lists sourceforge net

> Date: Tuesday, October 14, 2008, 9:00 PM

> The reassembled packets are identical to the combined

> payloads of the

> packets that are reassembled.  Snort reinjects the

> reassembled packets

> (pseudopackets) at the decoder level and detection is run

> against the

> reassembled packets.  While this does indeed add load to

> the system, this

> cost is entirely acceptable given the decrease in trivial

> evasion

> possibilies and is more than offset by the by performance

> increase that is

> gained by handling flows with an understanding of the

> stream state.

>

> Matt

>

> On Tue, Oct 14, 2008 at 4:42 AM, Rayne

> <hjazz6 () ymail com> wrote:

>

> > Hi all,

> >

> > I know that Frag3 reassembles IP fragments, and

> Stream5 reassembles TCP

> > fragments. So are the reassembled packets identical,

> i.e. in terms of

> > payload? And wouldn't this increase the volume of

> traffic passed into the

> > detection engine and cause it to run slower, since

> there are now more

> > packets to check against the rules?

> >

> > Thank you.

> >

> > Regards,

> > Rayne



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users